Russian state-backed actors exploit outlook vulnerability to compromise Microsoft exchange accounts and extract sensitive data, warns Microsoft threat intelligence team. The security flaw in Outlook for Windows, disclosed by Microsoft in March, has the potential to grant unauthorised access to emails and facilitate the theft of sensitive information. Identified as CVE-2023-23397, the critical vulnerability enables attackers to exploit it for elevated privileges. Cybercriminals can send a specially crafted message to pilfer NTLM hashes, utilising them for NTLM relay attacks, enabling remote authentication without user involvement. Microsoft has addressed a zero-day flaw with the March Patch Tuesday updates, but reports indicate that Russian hackers persist in exploiting the privilege escalation vulnerability on unpatched systems. The hacking group Forest Blizzard targets government, transportation, energy, and non-governmental organisations in the US, Europe, and the Middle East. The Microsoft Incident Response team notes the group’s continual refinement of tactics and malware, highlighting the challenge of attribution and tracking their activities.
In collaboration with the Polish Cyber Command (DKWOC), Microsoft is working to uncover the tactics employed by the Forest Blizzard hackers. To safeguard against advanced attacks, organisations are urged to apply the patch for CVE-2023-23397 on their susceptible Exchange Server. Additionally, Microsoft has introduced a script to aid administrators in pinpointing compromised systems within their networks.
Microsoft suggests that IT administrators reset passwords for compromised accounts and enforce multi-factor authentication (MFA) for all users as a security measure. To enhance security, it is highly recommended to deactivate NTLM and, for further protection, limit SMB traffic by blocking connections to ports 135 and 445 from all inbound IP addresses.